Trish And Traci Podcast Hero

Podcast: Cybersecurity Breach Ripple Effect

June 9, 2021
A money-grab hack prompted executive orders to get cybersecurity under control at firms supplying the government. Private companies will have to comply even if they aren’t the primary contractor.

Transcript

Traci: Welcome to this edition of "Process Safety with Trish & Traci," the podcast that aims to share insights from past incidents to help avoid future events. I'm Traci Purdum, senior digital editor with Chemical Processing, and as always, I'm joined by Trish Kerin, the director of the IChemE Safety Centre. Hey, Trish. How are you?

Trish: I'm doing well, Traci. How are you doing today?

Eric Byres

Traci: I'm doing fine. I'm looking forward to today's conversation. One of our more popular podcasts has been our discussion on cybersecurity. But that was a few years and several incidents ago, and you and I both decided it was time to re-address that topic and help us unravel some of the cloak and dagger. We've invited Eric Byres, professional engineer, ISA fellow and CEO of aDolus Technology Inc., creators of a software supply chain management platform for both end users and vendors in the process industry. Eric is widely recognized as one of the world's top experts in the field of ICS and OT security. He is best known for inventing the Tofino firewall licensed by industry giants such as Honeywell, Schneider Electric and Caterpillar. Eric is also the founder of the British Columbia Institute of Technology's Critical Infrastructure Security Centre. Thanks for joining us today, Eric.

Eric: Well, thanks. It's a real pleasure to be here.

Traci: Now, tell me a little bit about the name aDolus. How did that come about?

Eric: Well, so Dolus is a Greek god or a demigod that was known for treachery. He made fakes, fakes of famous...or I don't know if you call them famous, but the goddesses. And they were so authentic that everybody thought that they were praying to the real goddess. And A in ancient Greek is negation. So this is really aDolus, what we're trying to say is no fakes here or at least no fake gods. And it's about fake software.

Traci: That's very cool. I had no idea. I love that.

Eric: That was sort of fun. It's fun. You know, you can come up with all sorts of good names with enough beer.

Traci: Oh, ain't that the truth. Oh, well, Trish, you know, let's get on topic here. I know you've released a paper highlighting the business implications of cybersecurity breaches. But can you give us a rundown on some recent high-profile cases, as well as how an organization's process safety can be compromised from a cyber-attack?

No Time To Listen Now?

No worries! Subscribe and listen whenever, wherever. 

Trish: Yeah, sure. So one of the interesting things we've seen is, in the process industries, when we focused on cybersecurity, for process safety perspective, we all sort of thought so we need to think about our DCS systems or our control systems and make sure no one can get in and operate our plant like we don't know it's being operated. But when you actually go back and look at the history of the different cyber-attacks that have been happening over the last 20, 21 years, a lot of the attacks have been on the enterprise system of the company, not necessarily the operating systems within the process control. And so that means we need to think about these things a little bit differently. And one of the ones I always go back to is interesting.

If we go right back to 2000, there was one where there was an attack on the actual control system of a facility. And it was a wastewater treatment plant. That happened in Australia. And it was a fascinating one because a disgruntled former contractor actually used the Wi-Fi network to hack in and reverse flow on some pumps in the sewage system and caused raw sewage to back up and overflow in, you know, the lobbies of five-star hotels and all this sort of stuff. So it was really quite an amazing story when that one happened. But as I said, more and more we're seeing attacks that are focused towards the enterprise system. And we hadn't really thought that that was going to be that much of a process safety problem. Isn't that just IT's problem to fix? Well, actually, maybe it's not IT's problem to fix. And, you know, in recent times, we've seen back in 2019, there was the Norsk Hydro ransomware attack that basically they had a ransomware attack on all of their enterprise system.

And what then happened was they were unable to operate their facility safely because they lost access to safety-related information, their maintenance protocols, their setpoint documentation. These things don't live necessarily in your control system. And their control system, whilst that wasn't hacked, their enterprise system couldn't talk to their control system. And they actually had to...they ended up in a worldwide shutdown in their aluminum business for that. And we've seen similar attacks, you know, in transportation. There was a road transport company that transports dangerous goods via truck, and again, they were unable to determine what was actually going on in their system because they lost their entire enterprise system due to another ransomware attack.

And obviously, you know, to highlight the most notable one or one of the most notable ones, I think there's probably two at the moment, specifically from the U.S. perspective, is obviously Colonial Pipeline. We're also seeing the meat processing company as well that's having global ramifications because that affected them internationally, a very large international organization. And I thought it was interesting saying the Colonial one where they had to stop the pipeline flow because they lost access to their enterprise system. I've seen some reports that say that it's actually because they were unable to accurately account for their product and therefore bill, which is why they shut down their pipelines, so it may not have actually been a safety-related issue, but certainly interesting that we can see such interruptions that can have safety implications occur across all sorts of different industries, based on someone hacking through email or something like that to get into a company's enterprise system.

Traci: And speaking of Colonial, that's exactly why, Eric, I got you on board. I reached out to you to get your insight on the Colonial Pipeline hack, which obviously, as Trish pointed out, not only affected the chemical industry, but the consumers. So it really brought it front and center for everybody to see exactly what these businesses deal with. A lot was at stake, but you pointed out, it really wasn't an OT or an ICS hack, as Trish just did as well, but can you talk to us a little bit about what happened with Colonial?

Eric: Yeah, well, and Trish really nailed it there. And what happened there and everything that I've got is that what really got hacked was their account management system for product. And that kind of makes sense because there's no sense putting oil into your pipeline and moving it around if you don't know who put the oil in and where the oil is going and how you get it out. You know, it's a bit like banks. Banks can safely store the money in the vault, but if they don't have their accounting system working, they're not going to be taking deposits.

And so we see this all the time. And then people said, oh, this an OT hack, but it wasn't an OT hack, but it's pointing to the fact that OT and IT in every industry is inextricably linked. You can't run without one without the other. And people go, "Oh, we'll air gap them." But that's not the reality. No matter what your product is, you need to understand, you know, what your customer is demanding, what your accounting is. And so when things start to fall apart on those links, even if there's somebody running a USB key back and forth or sneakernetting it back and forth, companies don't run without both their OT and their IT systems functional. And so that's really important to remember, and of course, as we get more and more integration and we have more and more convergence, that's just getting more and more a part of the whole problem.

Traci: Now, one of the events that we really haven't talked about yet is SolarWinds. Can you give us a little insight on what happened there? That was, what, late last year, right?

Eric: Yeah, it was detected in December. And that's when it was detected. It'd actually been probably ongoing for two years when the attackers were first developing their attacks, and they had been successfully penetrating their victims...well, they successfully penetrated their first victim, which was a company called SolarWinds that makes network and security management tools software, probably a year and a half ago, maybe a little earlier than that. Once they got into there, they were basically modifying the software that SolarWinds shipped so that when customers took what they thought was a legitimate SolarWinds software, they were actually taking trojanized, modified software. In other words, they were getting malware that was all shrinkwrapped and looking like it was coming from a legitimate company.

And what was scary about that is the attackers got away with this, first of all penetrating SolarWinds for about eight months. And then they got away with having SolarWinds ship this malware into about 18,000 companies in the U.S...or worldwide, actually I shouldn't say the U.S., worldwide, and be able to then use this malware to basically get fully into those companies for nine months and eventually they got caught. But what was particularly scary is they really had free run of the place for nine months before they were detected. And it's particularly interesting because what they're doing is they're not trying to get you to click something. They're not trying to, you know, convince you to download this app that you've never heard before. They're taking advantage of the trust between the suppliers and the users.

And so because we trust our suppliers to ship us good code, we don't check it. Generally, we don't check it that much. And they can, you know, basically take advantage of that and say, "Hey, that's legitimate SolarWinds software. We'll install it." And so it's incredibly dangerous. And it's increasing. I saw some statistics that this type of attack is increasing 400% last year. It is the way to go if you're a bad guy. The return on investment is incredible. So, you know, that's, I think, particularly concerning. I should say one more thing here is, okay, SolarWinds wasn't particularly focused on our industry. But groups that look like they were related to the SolarWinds attackers have tried exactly the same techniques on the process industries. And we saw one a few years ago called Dragonfly, where the attacks were very deliberately directed at Tier 2 secondary vendors of industrial control systems products, getting in there, modifying their software, so that technicians, when they downloaded the latest versions, would walk them into the plant, pass the firewalls, pass the antivirus detection, pass everything, and they'd have this remote control software, what we call a wrap, living inside the processes. So this whole technique of supply chain attack is sort of the biggest trend next to ransomware in the industry right now.

Traci: I'm at a loss for words. What are you supposed to do? I mean, that's so fearful. It's crime as a service basically. They're out there tapping people that you trust. What are companies supposed to do?

Eric: Well, you know, this is the big question, and the SolarWinds has driven the whole U.S. government to reevaluate how they get software. And so we've seen this executive order come out. If you haven't been following, look up Executive Order 14028 [See: "Unpacking Executive Order 14028: Improving the Nation's Cybersecurity"]. And it's basically saying to companies that supply to the U.S. or supply critical software or supply...people who supply the U.S. government or pretty well going down the whole chain that you're going to have to do things to validate your supply chain. And that's doing things like producing what we call software bill of materials, basically an ingredients list of your software. So all sorts of methodologies to try and prove the quality...improve the quality of software and then prove that that software that you are about to install was what was actually intended to be shipped by the manufacturer. So we're seeing a lot of legislation and regulation around this. But it's going to be a slow slog over the next little while as we get better control of our supply chains, particularly in the industrial space and the process space. [See: "ARCView Report - Take Control of Your ICS, IIoT, and IoT Software Supply Chain Security Risks"and "Atlantic Council research report on the need for overall supply chain solution."]

Traci: Are these attacks aimed to gain control and cause physical harm or is it a money grab? What are the motives? Trish, you had mentioned the wastewater treatment, and it was a disgruntled employee. But what are your thoughts on that? What's the main purpose behind all of this?

Trish: I think it depends on who the attackers are and who the company that's being attacked is. It's not a straightforward question. So that wastewater site was obviously a disgruntled employee who has since been jailed for that act. But there have been others that have been state actors against other countries' facilities that have deliberately shut them down. You know, you can think of the Ukraine power network that was allegedly a state actor that shut down their power network, two consecutive winters running. You've also got Stuxnet as well, the Iran nuclear facility. So there has been some attacks that have been focused on causing physical harm to the plant in some way or shutting down vital equipment in some way. They have a certain motive. Other motives will be the money grab.

There are people out there I'm sure that are just, you know, doing the ransomware so they can try and get some...extort some money out of you to get access back to your facilities. The SolarWinds one, again, is a different one. But, you know, it's about getting access and trying to leverage and utilize that access I think in a way that the hacker gets some form of benefit, whether it is to cause disruption to some reason, you know, there may be even still financial reasons behind causing the disruption, or whether it is just purely an extortion-based hack. I think there can be all sorts of ranges of things.

Traci: Eric, what are your thoughts?

Eric: Yeah, I think there is an incredible range of motivations and as a result, techniques. A guy I really like to follow is Andy Ozment. He was the chief security officer, I think it was at Goldman Sachs or somewhere like that. And he described the attackers sort of fall into like five classes. There's the vandals, there's the burglars, AKA, the criminals, there's the thugs, there's the spies, and there's the saboteurs. And that's exactly what we're seeing. We're seeing different types of cybercriminals doing different things. So Colonial Pipeline, pretty obvious, they're after the money. They're crooks and they want cash. And they don't really care if it's a pipeline or a food plant or whatever. It's got cash, they want the cash. So consider them like bank robbers. Their techniques are going to be very bank robbers-ish.

Like if you look at the example that Trish just gave there about the attacks in the Ukraine, those are clearly saboteur attempts. They're not looking for cash. They're looking trying to destroy an infrastructure, typically for military and political reasons. So this is Ukraine wherein a not so soft war going on between Russia and the Ukraine and Russian proxies in the Eastern Ukraine, this is just another cruise missile, just another attack with an attempt to try and, you know, impact the facility. They could have done it with a bomb, but it was cheaper and easier and much more impactful to do that sort of saboteuring with software. And so that's a very different type of attacker. And then, you know, the other type of attacker that we're seeing is somebody like the ones that were doing the SolarWinds attacks or the ones that did the Dragonfly attacks with the supply chain techniques, they're looking for information. That is espionage, either financial information or they're looking for, you know, military or spying information. So you're getting these different types of attackers and they all have different goals.

Traci: Now, you brought it up, great analogy, bank robbers. Attackers are known for going after low-hanging fruit. They're going to hit the bank at the corner of Main Street rather than the Federal Reserve. How can big companies like Colonial be considered low-hanging fruit? Are they being lax in their cybersecurity?

Eric: Well, you know, I would say that they're not being up... You know, I haven't looked at that particular attack so I can't say if they were lax. Definitely, they go after low-hanging fruit, but they're not necessarily going after the lowest hanging fruit. They're doing a cost-benefit analysis. These guys are professional criminals so they're saying, "Okay, it would be easier to go after a really small pipeline, but we'll only get $100,000 out of them. Let's spend more time, more money, more effort going after Colonial and we'll get bigger paychecks out of this." And also, it can be very opportunistic. You know, it looks...you know, sometimes you'll find things like password lists posted up onto internet sites like a Pastebin and somebody will say, "Well, look there's a series of passwords for company X, Y, Z." This is probably what happened with the SolarWinds attacks initially is that passwords that should never have been posted ended up getting posted and then that was sort of like, "Okay, here's our way in."

But overall, I think there's some pretty serious lapses overall in the industry around security posture. It's just not been that important to companies, even Fortune 500 companies. I was the chief technology officer at a Fortune 500 company, and to the board, there were other things they were more worried about than cybersecurity. Now, that's changed in the last month, but you know, a good cybersecurity program will take a number of years to develop. And interest in cybersecurity by board members has not always been all that high, and so the companies often have some pretty weak security and some pretty weak strategies.

Traci: Trish, do you have any...anything to add to that?

Trish: Yeah, I think you know, the idea of preparing for it, understanding what they could be going after, and then making sure that you stress test the system. So you know, you don't want to try penetration testing on your operating control system. But you know, for your enterprise system, you should be using professionals to come and do penetration testing and see how easy it is for them to get access to what you've got. You'll probably be quite surprised at how successful they'll be, and it will be probably quite terrifying to you when you discover that. But at least then you can start to put in place what you need, make sure you're making the right investments into cybersecurity. It is just as important if not more important than physical security for your business, and it has just as many business-related implications. So you actually need to know where your vulnerabilities are.

Standard risk management says, "Well, you need to identify your hazards and implement controls for them." Well, that's what penetration testing is. Basically, it's getting someone to find all your hazards or your weak spots so you can actually put controls in place for them. And I don't think organizations either do that sort of stuff enough, or also change the organizations they used for penetration testing because, you know, one of the things here is, if you're only ever using the same company to do your cybersecurity testing, have they got a little bit comfortable with what's going on? Would you potentially get someone else that might try something different and actually have some success in getting into your system in other ways? So I think it's important to really go through a structured process. And there are professionals out there like Eric who can help with this sort of work. It should not be left to your average IT department or indeed your average process safety department to figure this one out. We're not the experts in it. We need the experts' help in this space.

Traci: Now, Eric, I want to circle back to the SolarWinds attack if I can. That was a big concern for the U.S. government with the executive orders that you had mentioned. How will it impact our industry?

Eric: Oh, it's going to change the way we do security. We're seeing it in a number of ways. First of all, that it was a real wake up to the government in two ways. First of all, the fact that they found that there was Russian intelligence operators running their networks, basically, inside the State Department, inside the Defense Department, I think that's just absolutely embarrassing. So they got very, very, very paranoid and very worried about this, and quite rightfully. This is a problem. But the second thing that happened, and Colonial was a good example of this, if you listen to the head of the CSIA, the cybersecurity agency in the DHS, you can also hear his level of frustration that he didn't...he wasn't able to answer what was going on in Colonial when he called up on the carpet by the U.S. Congress.

So there's a second point of pressure here where the U.S. government suddenly realized that they didn't have visibility into private industry. So in America, two things are going to happen. There's going to be a lot more requirements to prove that you've got good security policies in place. You're using modern security technologies, such as multifactor authentication, that you're encrypting the data, not only that's being transferred, but at rest. All of these things are being written into regulations or into this executive order, for example. And then the second thing we see is regulations that are saying, "And, Mr. Company, if you have any dealings with the U.S. government, you are going to have to share your incident information and you're going to have to share it quickly. And you're going to have to share the details," not just, "Hey, we got hacked, and we're shutting the pipeline off."

So both of those things are going to be impacting the operators, and they're going to be impacting the suppliers of equipment, the big vendors like Honeywell and Yokogawa and stuff like that because their...if they want to sell to the U.S government or they want to sell again to a pipeline that sells to the U.S. government or supplies the U.S. government, it's part of regulation. So this is the first area. And then the secondary, we're seeing follow-on regulations like the new pipeline, security guidance that was put out by TSA the other day. And so all of a sudden, everybody that's in midstream pipelines is getting these letters saying, you know, "You're going to have to do this if you want to be...if you're going to be approved by TSA as a safe pipeline."

But it's going get more interesting because I'm talking about U.S., and yet Trish and I are not Americans. I'm a Canadian and Trish is in Australia. I'm seeing countries and sovereign oil country companies like in the Middle East looking at this and going, "We're going do the same. We're going to require the same thing out of anybody operating in our country." So this will probably be beneficial but it's basically going to force everybody in the process industries, in the pipeline industries, in any of them of the critical industries are going to have to up their game considerably, whether they're an operator or an equipment supplier or a software supplier. It's going to be a different game over the next year.

Traci: Absolutely. And, obviously most of our community are private sector operators, and what's the ramifications of the regulations there?

Eric: Well, you know, again, Colonial is a really good example. And listening to the director of the CISA being so frustrated when he was speaking to Congress, you can bet that he's not going to let that happen the second time. So the private companies will, even though they are not directly supplying U.S. government, are going to find themselves facing regulations that are going to require them to cooperate with government agencies in a way they've never seen before. So just because you are a private company doesn't mean you're going to dodge this. And then because this is supply chain, if your customers deal with the government, so your supplier of, say, industrial valves or something like that, and you're selling to a company that's deploying industrial equipment or does, say, valves for the example, that's being sold on for fuel control on Air Force bases, guess what, you're going to have to comply even if you're not the primary contractor. So this is going have a ripple-down effect that I don't think anybody saw coming.

Traci: So much to think about. What are some strategies to consider? I know, Trish, in your paper, and I will offer a link in our transcript to your paper, you talk about the five knows. Can you tell us a little bit about that and maybe that'll shed some light?

Trish: Yeah, so telecommunications provider in Australia called Telstra actually has got a very brief, little paper on their website, and they call it "The Five Knows of Cyber Security." And it seemed like a really useful way to start to think about it from my perspective. So the first one was know the value of your data. You know, so whether it's your hardware control systems, whether it's your data system, what you need to know the value of, what are your crown jewels that you need to look after? Know who has access to your data. Know where your data is. And, you know, that may sound quite like a simple question, but it's actually not. If you're storing stuff on the cloud, do you actually know where it is? Know who is protecting your data and know how well your data is being protected. And so if you can focus in on some of those areas, you can start to look at what you need to be understanding. And one of the challenges there is to make sure that you're focusing on the right areas from a cybersecurity perspective. But from my perspective, if I look at it, I want to know we're focusing on the right areas from a process safety perspective and what can be a challenge there.

Traci: Oh, that brings up a good question, Trish, what is considered process safety critical equipment and data? What should they be looking at?

Trish: So we pretty much understand that when we talk about the control systems because, you know, we've always talked about those as being safety related in some way. So if we just sort of focus on the typical enterprise systems, things like your maintenance management system, that includes scheduling, tracking, and defining your maintenance activities, your operating procedures, your risk assessments, your drawings that you've got stored, your equipment data sheets. You need to understand what all that...what all that information has. And could you safely operate without access to it? So if you don't know when your safety critical devices are due for maintenance, can you safely operate? I would suggest the answer is no.

If one of your control measures is that you have this piece of safety critical equipment that you need to know has a certain reliability associated with it, if you don't know when it's due for a maintenance test, or you don't know what the maintenance parameters are for that and you could say, "Well, we'll go back to the original manufacturer and supplier," that's fine, but what management of change have you done in the meantime? What's actually changed in that setpoint? A reset of factory settings might not be enough for you either. So it's really around understanding what is stored, what are the information and knowledge stored outside of your operating system, you know, by your operators, by your engineers, by your designers, all these different sorts of people, that if you could not access will inhibit your ability to meet your safety obligations and operate safely?

Eric: You know, I think you bring up a really good point there, Trish. I'm just trying to remember the name of a nuclear facility in the U.S. Might have been Hatch, but I can't remember for sure. And about 10 years ago, their safety systems inside the reactor shut down. And it wasn't because of anything bad actually happening on the plant, but that there was information flowing inbound to the safety systems that were monitoring basically external conditions. And so these are reasonable models. You know, they were trying to look at particularly cooling water and water availability, etc. And so they had these links outside the nuclear reactor, which weren't unexpected. But somebody decided to shut down the monitoring system on one of these water monitoring systems, and in effect that rippled into the plant.

You know, nothing is an island unto itself, even the nuclear industry. You're always looking outside because you know, your water flows, you know, your weather conditions, etc. And those end up coming in to haunt you inside, and even in an environment like the nuclear plants. So what you bring up is absolutely on the money, you have to watch where your data is flowing. And I see this all the time, particularly today, when you see industrial Internet of Things, you see information that a vendor is collecting on your motor operations or your tank levels, and you think it's just staying inside your plant. "Oh, no, it's heading out to their big database where they're collecting and aggregating that data. And maybe that's really good. You know, it makes things, you know, better, it helps them support you better, etc. I'm not saying that we shut it all down, but what you brought in with those five knows is exactly that, understand where your data is flowing. Understand if that data stopped flowing both ways or one way, have you got dependencies inside your plant that are going to knock you offline?

Traci: Now, here's a question that I'm curious from both of you, can you be too safe? What are those consequences of being too tied down very tight?


Eric: I mean, if somebody wants an absolutely perfectly safe computer or control system, take your computer, unplug it, wrap it in concrete, and drop it in the middle of the ocean. I mean, it's very safe but it's not functionally useful. So really, what we're dealing with here is a balancing act between 100% safe but nonfunctional and reasonably safe and functional. And we're always playing that balancing act in safety, in security. Tying things down too much for safety, for security, for any reason, you know, ultimately is going to impact your process. It's going to impact your profitability. So it's that balancing act.

Trish: Yeah, I've heard of facilities that had really strict protocols on how you could connect various different equipment in the field into the system. And it was so restrictive. And there were so many rules to follow that the supplier that wanted to monitor the performance of their equipment actually just started to install Wi-Fi routers all over the plant and all of a sudden created a backdoor because it was too difficult to install things through the company's systems because of the number of protocols that everybody had to jump through. So you do have to be very, very careful about this idea of unintended consequences that can arise. If you make something so difficult to operate effectively in a standard way, people will find a way around it.

And you want to make sure you're not inadvertently making it less safe by people creating backdoors into your facility that you don't even know about. And interestingly, this site only found it because all of a sudden they started to see all these Wi-Fi addresses popping up and had no idea where they were or what they were doing.

Eric: You're absolutely right on there. I was asked to do mergers and acquisitions due diligence on a company in Europe that supplied equipment for machine manufacturers in packaging lines and things like that in the manufacturing industry. And I was looking at their product lines and one of the things they had was a cellular blade that basically went into a PLC. I said, "What do you use that cellular blade for?" And he said, "Oh, well, that's so the packaging line manufacturer can talk directly to the packaging line and support it." And I said, "Well, don't you want to run it through the IT department and, you know, don't they have a network?" And they said, "No, no, we have all these customers who say it's just too much trouble." So they slam a cellular blade into this PLC and now they can get around the IT department. And that, of course, absolutely defeats the whole point of the security. You want to make security or safety or whatever process you're working, work for people. You want to make it easier for them to do the right thing, not so miserable that they will do the wrong thing in order to get their job done.

Trish: Yep, absolutely. Basic human factors.

Traci: Can you explain what the blade is? I don't know what that is, Eric.

Eric: Oh, it's just a module. It's just...you know, when you look at a programmable logic controller, they'll have card slots across there where you can put I/O cards in. And so, you know, and most of PLCs have a slot, you know, to plug in an Ethernet module so that the PLC can talk to an Ethernet network and then maybe ultimately to the IT department. But this one had the option to instead of putting an Ethernet module or in addition to putting an Ethernet, you could put a cellular blade in so that it would talk over cellular network back to the manufacturer. And to be absolutely clear, there's other use cases for that. I mean, you want that if you're somewhere where you're on a pipeline or something like that and there is no comms. But these guys sold it specifically to get around IT departments. That was their whole business model.

Traci: Well, with that is there anything else you'd like to add? Trish, you know I like this question. I'll toss it out to you first. Is there anything else that you'd like to add in this conversation about cybersecurity and process safety?

Trish: Just that you need to make sure you apply solid risk management principles to understanding the hazards in this issue and then go about implementing adequate control measures to manage your risk. And to do that, you'd need to engage with the experts in this field. Don't get caught up and think that it's an easy topic and you can do it all yourself internally. There are experts out there that will be able to help you in a much quicker way, in a much more thorough way, and you'll actually be able to get the objectives that you're trying to. If you try and do cybersecurity stuff yourself, you're probably going to come unstuck at some point in time and you will get hacked. There's no question about that. Everybody will get hacked at some point in time. So you want to make sure you've got the best team on your side for it.

Traci: Eric is one of those experts. What are your final thoughts?

Eric: Well, thank you and appreciate that. And I would say that just because somebody is an expert on cybersecurity doesn't mean they're the expert on your facility or plant or chemical processes. I mean, my background is process engineering, but I don't know every chemical process. So you really want to make this a team effort. It's not about... So if you get a cybersecurity expert, you want one that is going to work with your safety team and work with the process teams. The best ones out there that I've seen are companies that actually have safety and security teams together.

Because a lot of the problems, you know, are so interrelated that you can piggyback off of your safety models and your HazOps and things like that and get a long way. But you can't just take a HazOp and say it's a security model. You do need that expertise. But safety and security is never an individual problem. A friend of mine used to say that there's never a hole in just your end of the boat. In order to have a safe, secure, protected facility, everybody needs to be working together to plug the holes.

Trish: Absolutely. One of the things I often say is safety is a team sport. And you know, that's a perfect example that you've just given there, Eric. You need everybody in their specialist areas needs to work together.

Eric: Yeah. And you see that in the best companies, where they bring security teams together that consists of, you know, a process engineer, a safety engineer, cybersecurity expert, and really bring that team together and have them work together to come up with a solution that's going to let the company run effectively, safely and securely. Because one out of three ain't good enough, two out of three ain't good enough. You need to do all of them.

Traci: Well, this has been a great and important conversation. I appreciate your candor on all of this. Unfortunate events happen all over the world and we will be here to discuss and learn from them. Subscribe to this free podcast so you can stay on top of best practices. On behalf of Trish and Eric, I'm Traci and this is "Process Safety with Trish & Traci."

Trish: Stay safe.

Check out all the episodes of Process Safety With Trish & Traci.

Want to be the first to know? Subscribe and listen to Process Safety With Trish & Traci on these platforms

Trish Kerin, director, IChemE Safety Centre, Institution of Chemical Engineers, spent several years working in design, project management, operational, safety and executive roles for the oil, gas and chemical industries. She currently sits on the board of the Australian National Offshore Petroleum Safety and Environmental Management Authority (NOPSEMA) and is a member of the Mary Kay O'Connor Process Safety Center steering committee. You can email her at [email protected].
Traci Purdum, an award-winning business journalist with extensive experience covering manufacturing and management issues, joined Chemical Processing as senior digital editor in 2008. Traci is a graduate of the Kent State University School of Journalism and Mass Communication, Kent, Ohio, and an alumnus of the Wharton Seminar for Business Journalists, Wharton School of Business, University of Pennsylvania, Philadelphia. You can email her at [email protected].

Sponsored Recommendations

Keys to Improving Safety in Chemical Processes

Many facilities handledangerous processes and products on a daily basis. Keeping everything undercontrol demands well-trained people workingwith the best equipment.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Managing and Reducing Methane Emission in Upstream Oil & Gas

Measurement Instrumentation for reducing emissions, improving efficiency and ensuring safety.

Heat Recovery: Turning Air Compressors into an Energy Source

More than just providing plant air, they're also a useful source of heat, energy savings, and sustainable operations.